Tracking is no longer just on the rails for Boston's MBTA

The advertising contractor for metropolitan Boston’s subway rail system is launching a program to track riders with smart beacon technology. The company emphasizes that it is voluntary and anonymous, but privacy experts are not convinced

Big Conductor could be watching you … but only if you want him (or her) to.

That, of course, is not the way a press release a couple of weeks ago put it, announcing the launch of a pilot program by private contractor Intersection to track riders’ who are using the Massachusetts Bay Transportation Authority (MBTA) system in 10 of its stations in Boston and Cambridge.

The pitch from Intersection, an “urban experience” company created through a merger of media company Titan and technology firm Control Group, is that the program’s goals are to improve the rider experience and to help companies that advertise with the MBTA “increase engagement and interaction with commuters” who are near to their stores – targeted ads, in other words.

This will be accomplished through what Intersection says is, “a secure, closed network of Gimbal Bluetooth Smart beacons,” that will collect no personally identifiable information (PII), since they are, “transmit-only Bluetooth low-energy devices that send out a signal that can only be used by user-enabled apps running on mobile devices to trigger location-specific content.”

The company said riders will be tracked only if they, “download an app that utilizes the technology and opt in, to allow the app to receive the beacon’s signal.”

Gimbal, in a prepared statement, emphasized not only the anonymity of the program, but the choices to riders, who can disable it by turning off location services or Bluetooth on their phones.

The company said it is TRUSTe certified and a member of the Future of Privacy Forum (FPF).

All of which sounds like no surreptitious invasion of personal privacy, since even those who agree to be tracked will remain anonymous.

Not necessarily, according to a number of privacy experts, who say the announced safeguards are too vague to guarantee anonymity.

Privacy and encryption expert Bruce Schneier, CTO of Resilient Systems, said in a world of increasing surveillance by both the private and public sectors, this program probably ranks on the low end of the risk to privacy, although “it depends on the details.” But he said it is difficult to preserve anonymity when downloading an app.

“Can you get into the iTunes store without a credit card?” he asked. “I can’t.”

Can you get into the iTunes store without a credit card? I can’t.

Bruce Schneier, CTO, Resilient Systems

Others are more emphatic about the privacy risks. Lee Tien, senior staff attorney at the Electronic Freedom Foundation, said even if the beacons don’t collect any data, “it’s unclear to me what the app does with any information it collects. Unless that’s made clear, those who volunteer won’t have done so in an informed way.

“We know that apps also can surreptitiously collect other data on the phone, which can be linked to the ID of the phone,” he said.

And Rebecca Herold, CEO of The Privacy Professor and cofounder of SIMBUS360, said apps are, “some of the most privacy invasive technologies around because of all the data they can suck up from the device – about what the device user is doing, whereabouts, etc., with absolutely no direct interaction with the device users to ask to have data explicitly provided by them.”

Herold and others said there is far too much wiggle room in terms like “personal data,” “consumer information” and “closed network.”

“What does a ‘closed network” mean?” she said. “That no one but their business employees are able to access it? It would imply that they do not outsource access to the data to any third parties, but they do not explicitly state this.”

(Apps are) apps are some of the most privacy invasive technologies around because of all the data they can suck up from the device.

Rebecca Herold, CEO, The Privacy Professor and cofounder, SIMBUS360

Things like that also trouble Dennis Devlin, cofounder, CISO and CPO of SAVANTURE. Even though the company says the system will not collect any PII and will be on a closed network, there is clearly some collection going on if riders can receive push notifications from advertisers. “The notice is vague as to exactly what is being collected and how it will be used after collection, and there is no access provision for individuals to see their own data,” he said.

He added that, “there is no such thing as guaranteed anonymity when it comes to geolocation data collected from a mobile device.”

The involvement of an app, or apps, for the program is apparently based on vendors advertising through Intersection with the MBTA. While the press release from Intersection says, “a user must download an app that utilizes the technology,” Caitlyn Kasunich, a media representative for Intersection, said there is, “no overarching pilot program app; there will be third-party apps that become part of the program.”

Every device has multiple identities related to the device itself … once collected such data can potentially be joined with other data … and suddenly the customer becomes the product, and someone else becomes the customer.

Dennis Devlin, cofounder, CISO and CPO, SAVANTURE

Indeed, Jason B. Johnson, deputy press secretary of the MBTA, said Intersection is the contracted, “manager of the T’s advertising program. As such, the Pilots Beacon Initiative was not created by the T.”

But Herold noted that a key phrase from the Intersection press release is that the program is designed to show how, “technology can enable citizens to have more unique, tailored experiences with both cities and brands.” She said there is no way to “tailor” experiences without an app that connects individuals to the program, and without PII being involved.

Kelsey Finch, policy counsel at FPF, agrees that is the key element that should concern users.

“Beacons themselves cannot pinpoint smartphone position and do not track smartphone owner movement,” she said. “They can only detect that a Bluetooth-enabled device has entered a particular zone.”

But while the beacons themselves don’t collect any data or send messages, “they enable an app associated with them to understand more precisely where you, or your phone, are,” she said. “It’s the app that collects the data and uses it to send users messages when they are near a particular beacon. As to whether apps can promise not to collect PII, that’s a different question.”

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.